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DETAILED ACTION 

1 . This action is in response to the Pre-Appeal Conference Request filed on 
December 27, 2005. 

2. Claims 1-19 are currently being considered. 

Claim Rejections - 35 USC § 102 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

3. Claims 1-19 are rejected under 35 U.S.C. 102(e) as being anticipated by Moran 
(U.S. Patent No. 6,647,400). 

4. Regarding claim 1, Moran discloses: 

reading events representing various types of system calls (column 7 line 65 - 
column 8 line 23, column 13 lines 26-42); 

routing the event to an appropriate template, the event having multiple 
parameters (column 7 line 65 - column 8 line 23, column 14 lines 13-31); 

filtering the event as either a possible intrusion based on the multiple parameters 
and either dropping the event or outputting the event (column 1 1 lines 15-65, column 32 
lines 48-59); and 
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creating an intrusion alert if an event is output from said filtering step (column 1 1 
lines 15-65, column 32 lines 48-59). 

5. With respect to claim 7, Moran et al. disclose a method of detecting critical file 
changes, comprising: 

reading events including encoded information representing system calls (column 
7 line 65 - column 8 line 23, column 13 lines 26-42); 

routing the event to an appropriate template based on the encoded information 
(column 7 line 65 - column 8 line 23, column 1 4 lines 1 3-31 ); 

filtering the event as either a possible intrusion based on the encoded information 
and either dropping the event or outputting the event (column 1 1 lines 15-65, column 32 
lines 48-59); and 

creating an intrusion alert of an event is output from said filtering step (column 1 1 
lines 1 5-65, column 32 lines 48-59). 

6. With respect to claim 14, Moran et al. disclose a system for detecting critical file 
changes, comprising: 

a processor (column 5 lines 26-42); 

a memory storing instructions which, when executed by the processor, cause the 
processor to: 

route events to an appropriate template (column 7 line 65 - column 8 line 23, 
column 14 lines 13-31); 
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wherein the event includes one or more parameters (column 1 1 lines 1 5-65, 
column 32 lines 48-59); 

filter the event as either a possible intrusion based on one of the one or more 
parameters and either dropping the event or outputting the event (column 1 1 lines 15- 
65, column 32 lines 48-59); and 

create an intrusion alert if an event is output from the filter (column 11 lines 15- 
65, column 32 lines 48-59). 

7. With respect to claims 2,8, and 15, Moran et al. disclose a method, wherein said 
filtering step outputs an event if the parameters indicate that the permission bits on a file 
or directory were changed (column 9 lines 33-47). 

8. With respect to claims 3,9, and 16, Moran et al. disclose a method, wherein said 
filtering step outputs an event if the parameters indicate that a file was opened for 
truncation (column 1 1 lines 15-48, column 31 lines 31-56). 

9. With respect to claims 4,10, and 17 Moran et al. disclose a method, wherein said 
filtering step outputs an event if the parameters indicate that ownership or group 
ownership of a file has been changed (column 9 lines 33-47, column 31 lines 30-57). 

10. With respect to claims 5,1 1, and 18, Moran et al. disclose a method, comprising 
a create step which outputs an alert message if a file was renamed including a file that 
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was renamed and a new name that the file was renamed to (column 9 lines 33-47, 
column 30 lines 7-13). 

1 1. With respect to claim 6,12, and 19, Moran et al. disclose a method, comprising 
configuring templates based on a list of files and directories to be included or excluded 
based ort whether the files and directories are considered unmodifiable (column 32 lines 
60-67). 

12. With respect to claim 13, Moran et al. disclose a computer-readable medium 
storing instructions which, when executed by a processor, cause the processor to 
implement the method steps of claim 1 (column 5 lines 26-42, column 7 line 65 - 
column 8 line 23, column 11 lines 15-65, column 13 lines 26-42, column 32 lines 48-59). 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Kaveh Abrishamkar whose telephone number is 571- 
272-3786. The examiner can normally be reached on Monday thru Friday 8-5. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on 571-272-3795. The fax phone number for ■ 
the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 


KA 

03/14/2006 



SUPERVISORY PATENT EXAMINER 
TECHNOLOGY CLMTER 2100 


